Whenever you are trying to take html input from your asp.net mvc application without using AllowHtml attribute to model field then you will run into following error.
Server Error in '/' Application.
A potentially dangerous Request.Form value was
detected from the client (StepValue="...Enumerable
intSequence = ...").
Description: ASP.NET has detected data in the
request that is potentially dangerous because it might include HTML
markup or script. The data might represent an attempt to compromise the
security of your application, such as a cross-site scripting attack. If
this type of input is appropriate in your application, you can include
code in a web page to explicitly allow it. For more information, see
http://go.microsoft.com/fwlink/?LinkID=212874.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (StepValue="...Enumerable
Source Error:
An unhandled exception was generated during the execution of the current
web request. Information regarding the origin and location of the
exception can be identified using the exception stack trace below.
|
Stack Trace:
|
Following are two most popular ways to allow html input in asp.net mvc
- Make use of [AllowHtml] attribute on model field you want to allow html input. (Recommended way)
- Make use of [ValidateInput(false)] on controller method - non recommended way because it will not validate any input field.
Example
Creating BlogPost wherein we want to allow blog content to take html
Model class
public class BlogPost {
public string Title { get; set; }
public DateTime PostedOn { get; set; }
public string Tags { get; set; }
public string Content { get; set; }
}
Controller class
public class BlogPostController : Controller {
public ActionResult Create() {
return View();
}
[HttpPost]
public ActionResult Create(BlogPost model) {
ViewBag.HtmlContent = model.Content;
return View(model);
}
}
View Page
@using (Html.BeginForm()) {
@Html.ValidationSummary(true)
<fieldset>
<legend>BlogPost</legend>
<div class="editor-label">
@Html.LabelFor(model => model.Title)
</div>
<div class="editor-field">
@Html.EditorFor(model => model.Title)
@Html.ValidationMessageFor(model => model.Title)
</div>
<div class="editor-label">
@Html.LabelFor(model => model.PostedOn)
</div>
<div class="editor-field">
@Html.EditorFor(model => model.PostedOn)
@Html.ValidationMessageFor(model => model.PostedOn)
</div>
<div class="editor-label">
@Html.LabelFor(model => model.Tags)
</div>
<div class="editor-field">
@Html.EditorFor(model => model.Tags)
@Html.ValidationMessageFor(model => model.Tags)
</div>
<div class="editor-label">
@Html.LabelFor(model => model.Content)
</div>
<div class="editor-field">
@Html.EditorFor(model => model.Content)
@Html.ValidationMessageFor(model => model.Content)
</div>
<p>
<input type="submit" value="Create" />
</p>
<p>
Posted Content : @ViewBag.HtmlContent
</p>
</fieldset>
}
Method 1: Example with [AllowHtml] Attribute (Recommended)
By allowing html using AllowHtml Attribute we are limiting Html input for particular fields. In our example we are allowing html to only BlogPost - Content field.
Change your BlogPost Model and add [AllowHtml] attribute as follow:
using System.Web.Mvc;
public class BlogPost {
public string Title { get; set; }
public DateTime PostedOn { get; set; }
public string Tags { get; set; }
[AllowHtml]
public string Content { get; set; }
}
Method 2: Example with [ValidateInput(false)] (Non-Recommended)
You can also allow html by simply turning off validation on controller method as shown in following example:
public class BlogPostController : Controller {
public ActionResult Create() {
return View();
}
[HttpPost]
[ValidateInput(false)]
public ActionResult Create(BlogPost model) {
ViewBag.HtmlContent = model.Content;
return View(model);
}
}
Problem with using [ValidateInput(false)] is it will turn off validation on whole controller's action method which is very dangerous.
No comments:
Post a Comment